Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Matching TCP flags

The vRouter supports filtering on the TCP flags within TCP packets. For example, to create a rule to accept packets with the SYN flag set and the ACK, FIN, and RST flags unset, perform the following steps in configuration mode.

Table 1. Accepting packets with specific TCP flags set
Step Command

Set the protocol to match to TCP.

vyatta@R1# set security firewall name TCP-FLAGS rule 30 protocol tcp 

Set the TCP flags to match.

vyatta@R1# set security firewall name TCP-FLAGS rule 30 tcp flags SYN,!ACK,!FIN,!RST

Set the action to accept.

vyatta@R1# set security firewall name TCP-FLAGS rule 30 action accept

Commit the configuration.

vyatta@R1# commit

Show the configuration.

vyatta@R1#vyatta@R1# show security firewall name TCP-FLAGS

name TCP-FLAGS {
    rule 30 {
        action accept
        protocol tcp
        tcp {
            flags SYN,!ACK,!FIN,!RST
        }
    }
}
vyatta@R1#